Feature #3727
open
Security: Session Hijacking erschweren
Added by Carsten Rose about 7 years ago.
Updated 9 months ago.
Description
- Problem 1: durch '[FE][lockIP] = 0' wird der Schutz gegen Session Hijacking fuer FE-User verringert.
- Problem 2: in QFQ ist kein 'Session Hijacking' based on changed IP detection implementiert.
Beides koennte leicht implementiert werden:
- Zu 1)
- Entweder eine Extension schreiben die gewisse IPs immer zulaesst (z.B. die lokalen IPs) - es gab entsrpechende Extensions.
- Oder in QFQ diesen Check implementieren (z.B. in dem sich QFQ beendet, sollte der aktuelle FE User einer FE Gruppe angehoeren)
- Zu 2) implementieren. Am besten aehnlich konfiguriert wird '[FE][lockIP]'
- Target version set to next9
- Target version changed from next9 to 18.10.3
- Assignee changed from Carsten Rose to Elias Villiger
- Assignee changed from Elias Villiger to Carsten Rose
- Target version changed from 18.10.3 to 18.12.1
- Target version changed from 18.12.1 to 141
- Target version changed from 141 to QFQCD19 - waere gut
- Status changed from New to Some day maybe
- Status changed from Some day maybe to New
- Target version changed from QFQCD19 - waere gut to next6
- Target version changed from next6 to next4
- Target version changed from next4 to Check if 'high' is still necessary
- Assignee changed from Carsten Rose to Support: Web
- Priority changed from High to Normal
- Target version changed from Check if 'high' is still necessary to CodingWeek2023
- Prio Planung set to No
Also available in: Atom
PDF